Lucene search
K

1335 matches found

CVE
CVE
added 2026/02/24 4:39 p.m.19 views

CVE-2024-48928

Piwigo CVE-2024-48928 affects 14.x branch installations where secret_key is set to MD5(RAND()) in MySQL. RAND() offers about 30 bits of entropy, making brute-forcing feasible within roughly an hour. The CSRF token partially derives from the secret_key, allowing verification of a brute-force attem...

7.5CVSS5.4AI score0.0026EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/02/24 12:0 a.m.4 views

PT-2026-21769

Name of the Vulnerable Software and Affected Versions Piwigo versions 14.x Description Piwigo is a photo gallery application for the web. In versions on the 14.x branch, the secret key configuration parameter is set to MD5RAND during installation when using MySQL. The RAND function has limited...

7.5CVSS5.2AI score0.0026EPSS
Exploits0References6
Github Security Blog
Github Security Blog
added 2026/02/17 6:44 p.m.6 views

Unauthenticated File Upload in Gogs

Security Advisory:Unauthenticated File Upload in Gogs Vulnerability Type: Unauthenticated File Upload Date: Aug 5, 2025 Discoverer: OpenAI Security Research Summary Gogs exposes unauthenticated file upload endpoints by default. When the global RequireSigninView setting is disabled default, any...

9.8CVSS5.6AI score0.00618EPSS
Exploits1References6Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/02/12 12:0 a.m.6 views

GitLab 18.4 < 18.4.4 / 18.5 < 18.5.2 (CVE-2025-11990)

The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab EE affecting all versions from 18.4 before 18.4.4, and 18.5 before 18.5.2 that could have allowed an authenticated user to gain CSRF tokens by exploiting...

3.5CVSS5.7AI score0.00263EPSS
Exploits0References5
GithubExploit
GithubExploit
added 2026/02/01 1:23 a.m.186 views

Exploit for CVE-2025-2304

Camaleon CMS -p Arguments - -t, --target Base t...

9.4CVSS5.9AI score0.00566EPSS
Exploits16
RedhatCVE
RedhatCVE
added 2026/01/29 3:18 p.m.17 views

CVE-2025-59891

Cross-Site request forgery CSRF vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of...

8.5CVSS5.9AI score0.00127EPSS
Exploits0References1
CVE
CVE
added 2026/01/22 3:31 a.m.17 views

CVE-2026-24037

Horilla HRMS has_XSS bypass in version 1.4.0 due to incomplete, context-agnostic regex filtering in has_xss(), enabling attackers to redirect users, run external JavaScript, and steal CSRF tokens for admin-targeted CSRF attacks. The issue is fixed in version 1.5.0. Affected: Horilla 1.4.x → fixed...

5.4CVSS5.3AI score0.00227EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/01/22 3:31 a.m.6 views

CVE-2026-24037 Horilla HRM has XSS Bypass through Project Name

Horilla is a free and open source Human Resource Management System HRMS. In version 1.4.0, the hasxss function attempts to block XSS by matching input against a set of regex patterns. However, the regexes are incomplete and context-agnostic, making them easy to bypass. Attackers are able to...

4.8CVSS5.4AI score0.00227EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2026/01/22 12:0 a.m.9 views

PT-2026-3913

Name of the Vulnerable Software and Affected Versions Horilla versions prior to 1.5.0 Description Horilla is a Human Resource Management System HRMS. The has xss function in version 1.4.0 attempts to prevent Cross-Site Scripting XSS by using regular expressions to filter input. However, these...

5.4CVSS5.9AI score0.00227EPSS
Exploits1References11
RedhatCVE
RedhatCVE
added 2026/01/09 12:34 p.m.8 views

CVE-2023-45374

An issue was discovered in the SportsTeams extension for MediaWiki before 1.35.12, 1.36.x through 1.39.x before 1.39.5, and 1.40.x before 1.40.1. It does not check for the anti-CSRF edit token in Special:SportsTeamsManager and Special:UpdateFavoriteTeams...

5.3CVSS6.9AI score0.00186EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 11:27 a.m.7 views

CVE-2021-33338

The Layout module in Liferay Portal 7.1.0 through 7.3.2, and Liferay DXP 7.1 before fix pack 19, and 7.2 before fix pack 6, exposes the CSRF token in URLs, which allows man-in-the-middle attackers to obtain the token and conduct Cross-Site Request Forgery CSRF attacks via the pauth parameter...

7.5CVSS7AI score0.00424EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 11:25 a.m.10 views

CVE-2021-28055

An issue was discovered in Centreon-Web in Centreon Platform 20.10.0. The anti-CSRF token generation is predictable, which might allow CSRF attacks that add an admin user...

6.5CVSS6.9AI score0.00823EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 10:51 a.m.12 views

CVE-2022-42975

socket/transport.ex in Phoenix before 1.6.14 mishandles checkorigin wildcarding. NOTE: LiveView applications are unaffected by default because of the presence of a LiveView CSRF token...

7.5CVSS6.9AI score0.0052EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 10:18 a.m.9 views

CVE-2019-18376

A CSRF token disclosure vulnerability allows a remote attacker, with access to an authenticated Management Center MC user's web browser history or a network device that intercepts/logs traffic to MC, to obtain CSRF tokens and use them to perform CSRF attacks against MC...

5.9CVSS6.7AI score0.00705EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/01/09 8:44 a.m.23 views

CVE-2022-23475

daloRADIUS is an open source RADIUS web management application. daloRadius 1.3 and prior are vulnerable to a combination cross site scripting XSS and cross site request forgery CSRF vulnerability which leads to account takeover in the mng-del.php file because of an unescaped variable reflected in...

8.8CVSS5.7AI score0.00454EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/01/07 9:50 a.m.6 views

CVE-2022-27671

A CSRF token visible in the URL may possibly lead to information disclosure vulnerability...

6.5CVSS6.6AI score0.01241EPSS
Exploits0References1
NVD
NVD
added 2025/12/23 8:15 p.m.7 views

CVE-2021-47735

CMSimple 5.4 contains an authenticated remote code execution vulnerability that allows logged-in attackers to inject malicious PHP code into template files. Attackers can exploit the template editing functionality by crafting a reverse shell payload and saving it through the template editing...

8.8CVSS0.0076EPSS
Exploits1References3
OSV
OSV
added 2025/12/23 8:15 p.m.6 views

CVE-2021-47736

CMSimpleXH 1.7.4 contains an authenticated remote code execution vulnerability in the content editing functionality that allows administrative users to upload malicious PHP files. Attackers with valid credentials can exploit the CSRF token mechanism to create a PHP shell file that enables arbitra...

8.6CVSS8.3AI score0.00926EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2025/12/23 12:0 a.m.9 views

PT-2025-52835

Name of the Vulnerable Software and Affected Versions CMSimple version 5.4 Description The software contains an authenticated remote code execution issue that allows logged-in attackers to inject malicious PHP code into template files. Attackers can exploit the template editing functionality by...

8.8CVSS7.7AI score0.0076EPSS
Exploits1References6
CNNVD
CNNVD
added 2025/12/18 12:0 a.m.6 views

linkding 安全漏洞

linkding is a bookmark manager that can be self-hosted by the individual developer Sascha Ißbrücker. A security vulnerability exists in linkding that stems from the file upload feature in the bookmarks and asset rendering pipeline that allows the upload of malicious SVG files containing JavaScrip...

8.2CVSS6.7AI score0.00256EPSS
Exploits0References2
Rows per page
Query Builder